<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>So this is something ET peeps fix?</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> "<a href="mailto:jesler@sourcefire.com">jesler@sourcefire.com</a>" &lt;<a href="mailto:jesler@sourcefire.com">jesler@sourcefire.com</a>&gt;<br><span style="font-weight:bold">Date: </span> Sun, 23 Oct 2011 10:27:04 -0500<br><span style="font-weight:bold">To: </span> Nathan Gibson &lt;<a href="mailto:nathan-gibson@ouhsc.edu">nathan-gibson@ouhsc.edu</a>&gt;<br><span style="font-weight:bold">Cc: </span> "<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a>" &lt;<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a>&gt;<br><span style="font-weight:bold">Subject: </span> Re: [Emerging-Sigs] 2002034 issue<br></div><div><br></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">This is because a "depth" is being used with the fast_pattern:only statement. &nbsp;You can't do that. &nbsp;<div><br></div><div><br></div><div><br><div><div>On Oct 23, 2011, at 11:21 AM, Gibson, Nathan J. (HSC) wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Been running ET for awhile know. Had this error today. Any thoughts?</div><div><br></div><div><br></div><div><br></div><div><span class="Apple-style-span" style="font-family: Consolas; font-size: medium; ">10/23/2011 2:01 AM :&nbsp;&nbsp; snort[29071]: FATAL ERROR: /etc/snort/rules/snort.rules(3219) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.</span></div><div><br></div><div><br></div><div><br></div><div><br></div><div><div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,<a href="http://doc.emergingthreats.net/2002033">doc.emergingthreats.net/2002033</a>; classtype:trojan-activity; sid:2002033; rev:16;)</div><div>alert tcp $HOME_NET $HTTP_PORTS -&gt; $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,<a href="http://doc.emergingthreats.net/bin/view/Main/2002034">doc.emergingthreats.net/bin/view/Main/2002034</a>; classtype:misc-activity; sid:2002034; rev:8;)</div></div><div><br></div></div>
_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com">http://www.emergingthreatspro.com</a><br>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</blockquote></div><br></div></div></div></span></body></html>